From a 30,000-foot-view perspective, the idea of risk being a driver and a business proposition for the implementation of Identity and Access Management (IAM) is perhaps one of the strongest for garnering executive-level support and budget consideration. Over the last couple of years, we have also seen similar trends in the real or perceived status of economic conditions. Certainly, the convergence of regulatory compliance concerns and risk, in particular, is key to developing a business case for IAM.

From a more granular perspective, the need for recertification of access for users on a periodic basis (specifically, so that you don’t run into "segregation of duty" concerns) is critical for both audit purposes and internal business stakeholders. Establishing some kind of role construct for users internally so that access can be managed by a non-security user population is also an excellent goal that helps generate a compelling business case. It allows end users and departments to more reasonably recertify employee access to certain areas based on functional job requirements. This also allows supervisors and managers to avoid delving way down in the proverbial weeds at a very technical level to determine whether someone should have access to a particular asset or data. While this is not a new revelation, it continues to be a very strong goal for IAM that can be easily inserted translated into a business case. This is particularly true when recognized through an event -- namely a failed audit or compliance penalty.

This convergence around governance risk and compliance with these and similar identity and access concerns has elevated the profile of identity and access management within many organizations. As a result, more projects are being driven at the infrastructure level, and because of the exposure of the risk through effective business cases, we are seeing much more involvement from the CFO and CIO offices in elevating these projects into annual budget consideration.

Another key area to factor in IAM business case development are operational efficiency goals, particularly in light of strains on budget and resources due to the recent econominc downturn. In addition, some of the need is driven by the expanded access needs for internal and external user populations. But, with that comes operational overhead. While this is one of the driving forces in the growth and popularity of cloud services, that’s another subject for another day with its own unique challenges and benefits. As it relates to this subject, the desire to mitigate risk from these external populations, while reducing the operational overhead for providing this level of access, is definitely a key component of the business case for IAM.

The idea of making data and employee collaboration more available to the business, while improving the end user experience and security posture, is a particularly strong driver on the operational efficiency side. We still see the need for password and group management within the classic network world, but for remote group password management in support of operational efficiencies, this is one area where organizations must have a more definitive ROI. This is a catalyst and an effective kick-start for an IAM initiative internally, as IAM can provide a strong correlation between business goals and a classic ROI or risk/cost avoidance. For example:

• Web portal registration and access control allows for remote workers, contractors and satellite office to access centralized data and application infrastructure.
• The growth of unified messaging concepts will bring convergence around email, voicemail and IT services.
• Identity and access management also has begun to have an overlap with information rights management and data leakage prevention, particularly for remote desktops and privileged users.

At the end of the day, it can be very difficult for the IT organization to take on the role of “selling” to the organization, but hopefully some of these considerations provide a solid starting point for developing a compelling and effective business case. Of course, partnering with strategic consulting and integration partners (such as FishNet Security) can provide a significant leg up in achieving business objectives and supporting business goals. The information solutions provider also has a team with the experience -- and the data -- to help ensure that the message resonates and the funding can be justified.